Do you know which component of your website every single visitor interacts with at least once? Is it the powerful one-liner you shaped through hours of brainstorming? Maybe a hero image placed above the fold conveying a strong message about your product? Is it that main call-to-action button you refined with love and A/B testing?

None of these.

It’s the data collection consent message [1] that every website visitor deals with at least once. Any website collecting unique data about users has to ask a visitor to approve or not approve the data collection before it occurs. This consent is required by law in some countries [2]. The problem is that most websites don’t explain what the consent is about. They don’t give equal options for accepting or declining data collection during a website visit.

How it came to be: discovering consent fatigue

Recently I noticed a strange message on the site I frequently visit [3] :

Happy or not?

My first reaction was self-reflection (“Am I really happy?”) which was obviously not the purpose of my website visit.

I got another even stranger message later while visiting another website:

Do they really?

I accidentally read this as “We value your privacy… I disagree.” for a strange reason.

This was worse than all of the rest:

Exit from modal window or exit from the site?

Seems like you’re agreeing to the cookie consent and exiting the site.

Something was not just feeling right.

I suddenly became sensitive to UI obstacles of this type each time when I browsed the previously unvisited website and compulsively started to collect the most interesting screenshots of those elements. Here’s a collection of consent messages from the websites I visited in the past month [4]:

These banners are compiled while I browsed regularly during one month.

What I was experiencing was “consent fatigue”: burdening users with questions and forcing decisions when they access a website for the first time.

I looked on the internet for an in-depth analysis of this phenomenon only to find out that most of the writings were focused around symptoms — that is, interface representations of the consent (modals, popups, fixed headers/footers, forced actions). There was little to none analysis for the root cause of consent fatigue.

I think this complex issue is related to communication and interaction. As an engineer and designer interested in hard problems I was intrigued to break it down and understand why consent components are designed this way and what could be improved.

Community survey as a sanity check

I surveyed fellow designers from the UX community for representative examples of consent interactions. I asked the following question:

Does anyone know an example of usable, user-friendly and understandable example of cookie consent messaging and/or cookie interface? There are tons of bad examples around but very few good examples, thus I need your help — thanks in advance!

There were humorous responses:

Haha, that’s because there are no good examples. — Jess_Sand

Once I saw one on a food blog that said “We like cookies.” — Katie

Negative answers:

Ultimately cookie consent is a user irritant so any “good” examples are still going to be poor UX. — Brett Maraldo

There were analytical answers:

It’s german and doesn’t look too great from a UI perspective, but from a UX point of view I like this example: https://taz.de/
Clearly asks me if I’m fine with all cookies or want to customize, if I customize I can either enable/disable cookies individually (okay) disable all but the essential cookies (so no ads or tracking cookies, this is what I want) again allows me to just accept all and everything without any dark patterns trying to trick me into allowing all.
Again, nothing fancy, but gives me clear options, direct access to the most used case (no ads and tracking), still customizable if I want and no dark patterns — Alex J

There were more answers with examples:

I’m not sure what exactly you’re writing, but Pinterest does a good job at explaining things. — Anonymous

I was impressed with the clarity of Ikea’s flow at one point. — Jess_Sand

It’s not perfect (the banner to get there is still kind of intrusive), but I like that The Guardian just boils it down to two equally-weighted choices, and you only have to deep-dive into individual settings if you want to. — calum-b

I’ve used the Civic Cookie Consent script on a few sites and it is about the cleanest I could find. Very easy to integrate as well. It is used by the UK Information Commissioner’s Office — which is the official source of info regarding UK cookie consent. — Darrell Wilson

Fellow UX people shared the same sentiment and were eager to share their experience — I was not alone!

Understanding the cause of consent fatigue: content and interaction

I tried to analyze the content of consent messages as honestly as I could seeing them for the first time. I compiled a list of questions that the average website visitor could ask themselves when looking at a typical consent message:

• What are cookies?
• How can cookies improve my experience?
• What is the difference between “necessary” and “unnecessary” cookies?
• Why should I accept or reject cookies?
• What will happen if I accept cookies?
• What will happen if I don’t accept cookies?
• Why this website need to track me?
• How can I revoke my cookie preference?
• Can I just reject tracking cookies and continue using the site normally?
• I don’t understand the privacy policy, even if I read it again.
• What is GDPR?

All of the above questions can converge into:

• Why is this website preventing me from doing what I want?

Website owners presumably didn’t plan this kind of experience for their users.

It’s important to try minimizing blindspots while doing analysis like this. Therefore I changed sides and tried to be in the shoes of a website owner who are obliged to place consent message on the website. Here are concerns I could think of:

• My website is in the EU and I am obliged to explain how I process data collected from users. What to do?
• What is the easiest way to display the required consent message?
• Do I need to show user consent on every website page?
• Users are complaining about intrusive consent messages. What I can do about that?
• Is it acceptable for my business to allow visitors to easily disable all tracking and data collection?

Those questions boil down to:

• Can I get enough website usage analytics without user fingerprinting or serving cookies? What are the alternatives?
• Can I continue to provide a service as previously without adding unnecessary cookies?

To understand reciprocity between basic user and business needs lets show them side-by-side:

Overview of user and business needs using common transactional or publisher website as an example

Analyzing interaction design on a compiled set of consent messages [5] was no less interesting — I saw the main ideas repeating themselves. Here are observed interaction patterns ordered by level of severity, from mediocre to acceptable UX [6]:

• Serving cookies and fingerprinting a session to track visitor without showing any message
• Showing only the information that the website uses cookies and other technologies without enabling a visitor to undertake any action about the consent
• Showing a single call-to-action with information about giving consent, giving the user a fake sense of control
• Showing the primary call-to-action for giving consent emphasized along with a link at the end to “Read more”, thus making it harder to revoke consent and obscuring opposite action
• Showing the main call-to-action to give consent along with a less prominent secondary call-to-action that leads to “customize settings” (which is not the opposite action)
• Showing two calls-to-actions that look the same and have opposite actions (give consent, revoke consent).

While I try not to be prescriptive in this analysis, I’d say that the only fair and nonmisleading example is the last one. It’s also the only one that gives us an actual choice to not share our data.

Conclusions from the analysis of consent components

• Websites (unfairly) assume that visitors know what a cookie is and does.
• The consent question is frequently misleading: accept cookies vs. whether to track a visitor or not.
• Most consent messages do not use plain language. They obscure the message by emphasizing technical details (“we use cookies”) over collecting user behavior data that is being saved, used or sold.
• “We’ve put cookies on your device to make the website better” translates to the users’ language as: “I’m using my computer’s resources to save files so that the website owner can track me and make their website better for their business needs.”
• Typical website consent elements say: “Accept cookies or no access for you.”
• Consent messages are persuasive which aren’t GDPR compliant: consent must be freely given so the message should be neutral.
• Saying “We use cookies” doesn’t tell the user anything — it’s like saying “a car uses a road.” The website owner can say “We use HTML and Javascript to provide you content on this website.” That information is of low value to the user. So the cookie isn’t the problem, it’s what the website does with the information.
• It’s impossible to summarise all the implications of the users’ decision under one call to action like “Accept” or “I agree.”
• Users do not understand what is going on with their data and don’tt know that somebody has their information, how and where data is being used.
• Some websites notify users that by using the site consent is granted — therefore, users implicitly accept the consent. Other websites allow users to accept or reject consent explicitly, through direct interaction. The latter is a more fair option.
• Many websites collect user data whether users agree or not, making the notification pointless.

Almost every consent notification breaks the basic rules of UX: understandability, clarity, brevity. It causes confusion. It negatively affects the overall website experience — especially when it’s placed intrusively.

Regular website user has to make a lot of decisions while browsing. I think there in lies the root cause for consent fatigue: when designers flood the website with elements that require users’ response without explaining value, it results in a poor experience.

The fact is that third-party trackers are building up databases with information about you and your browsing habits. Advertising networks use cookies to track users’ behavior and cross-site movement. “Ads keep our service free” is a try-to-be-sincere message that some websites convey in their consent messages. What those websites are trying to say is “Please give us consent for saving and processing data about your behavior so that we can keep our site in operation for free to you.”

Technically, the consent is not uniquely related to approval for saving cookies to your hard drive. Your unique “browser fingerprint” could be created using your IP address, browser version, operating system and other data you expose whenever visiting some site on the internet[7].

Let’s call the things by their real names. It’s not “cookie consent” — it’s “approval for data collection” and in many cases “agreement for selling your data to 3rd parties.” Mentioning cookies just obscures the real intent of the website owner. Fair cookie consent must be about a purpose (tracking), not about a means to an end (cookie).

Making better consent component

So, how can we improve the current state of things? Is there a solution to consent fatigue? How can we inform users honestly while still keeping our business sustainable?

While doing research projects I saw that most users overcome obstacles like modal windows and notification banners by blindly and automatically clicking the most obvious element. Consequently, users give away their data for use in promotional purposes or have websites sold data to 3rd parties, without ever knowing it.

Let’s be honest — almost every user will eventually click to accept cookies if they have strong motivation to use the website. I think designers should pay attention to a fair choice between giving and denying consent. They should focus on the clarity of consent messages while avoiding ambiguity.

Website visitors should be able to make an informed decision if they are willing to give their data, what amount of data is given to whom in what timespan, and for what purpose data will be used. Therefore, website owners should not nudge the visitors toward their preferred option — which is fingerprinting, tracking and eventually selling their data. Website owners should give a fair choice between two options. They should explain what happens to users’ data, how it will be stored and for how long. Nothing should be left to interpretation.

We should be aware that design cannot resolve all problems; however, one innocent design decision can mess up complex business rules. Designers should aim beyond design: talking with all business stakeholders, questioning current business models and working on incremental improvements is always a good idea.

My proposal for improvement

I remember browsing the web in a browser within a single window, struggling to type full URLs along with http:// prefix and with poor support to web standards[8]. The browser evolution went a long way since then. Typical web users expect a consistent experience across browsers: standardized components such as a refresh button, address bar that accepts both URLs and search queries, back and forward buttons, tabs, secure HTTPS protocol notifications, incognito mode and so on. This is analogous to driving your car: steering wheel, pedals, lights and blinkers are found in every contemporary vehicle.

I dream of having something similar: a standardized browser component that handles user-generated data with respect to privacy and transparency.

This component will treat users’ data with respect, inform the user about which data is sent, when and to whom. It will give users the option to take control of their data. I think GDPR rules are a good start towards better “privacy as experience” and better handling of user data.

A consent indicator is constantly shown in the browser (similar to SSL “lock” indicator ); the user can interact with the indicator and understand what the website will do with data. The user is always able to revoke consent, being aware of the implications.

The idea of a unified privacy control is not new at all — there were already some initiatives (although at the level of network protocols) that were promising [9]. Big tech companies these days realize that allowing users to control their privacy is an opportunity to make a competitional advantage in the fragmented browser market and they are making some minuscule but promising steps toward better browsing privacy [10].

By moving decisions about data collecting from website to browsers, everybody wins: users get a coherent and unique experience across websites and businesses can monetize their content by exposing clearly what data is being used for what purposes; and if the user does not give the consent, he won’t get to the content. I know that paywall model is unpopular among users but at least users will not be the product anymore [11].

This proposal is not without flaws. The questions easily pile up:

• Will businesses accept to change their models toward more privacy in data collection? Likely not, if they are not forced to do so. But remember the situation with SSL — when major browsers decided to penalize every website that doesn’t have an SSL certifacate installed, all of the sudden the situation changed and almost every website now has SSL installed.
• How would a “universal paywall” model work? Will some committee of big publishers step up (in case this proposal come to realization) and offer their interpretation and approach? Or maybe the opposite — will the initiative for data collection transparency be orchestrated by independent, open web organizations (my preferred option)? [12]
• Will the browser makers (Google and others) support the idea of standardizing data collection mechanisms? What are their motivations?
• Is the web ready for this big change? I think it surely is.